ScriptRunner Service with managed Account

Run ScriptRunner Service with a managed Service Account

Quick guide

  • Add the managed Service Account to the local Administrators group
  • Add the managed Service Account to the Distributed COM Users group
  • Add Privilege, LogOn As Service, to the managed Service Account
  • Assign the managed Service Account to the ScriptRunner Service
  • Set DCOM Permissions, Launch & Activate, to the managed Service Account, for the Runtime Broker
  • Register the Service Principal Name for the managed Service Account
  • Reset the passwords for existing ScriptRunner credentials

Instructions

Please note that an administrative Command Prompt console at the
ScriptRunner Service host is required to run the commands.

  1. In the Local Users and Groups Management Console (lusrmgr.msc),
    add the managed Service Account to the Administrators group
  2. In the Local Users and Groups Management Console (lusrmgr.msc),
    add the managed Service Account to the Distributed COM Users group
  3. In the Local Security Policy Management Console (secpol.msc),
    add the managed Service Account to the policy Log on as a service.
    The policy is located at Security Settings\Local Policies\User Rights Assignment
  4. In the Services Management Console (services.msc), set the managed Service Account
    as the Log On Account for the ScriptRunner Service. The service must then be restarted.
  5. In the Component Services Management Console (comexp.msc),
    set the DCOM Permissions Local Launch and Local Activation,of the RuntimeBroker,
    for the managed Service Account. The RuntimeBroker is located at
    Component Services\Computers\My Computer\DCOM Config.
  6. Register the Service Principal Name for the managed Service Account
    SetSPN -a <Protokol>/<FQDN ScriptRunner Service Host> <SAMAccountName of the ServiceAccount

    Should HTTPS be configured for ScriptRunner, the Service Principal Name must also be registered for HTTPS: SetSpn -a https://...

  7. For existing credentials in ScriptRunner, the passwords must be stored again.
    The credentials are stored user-related in the Credential Manager,
    for the new Service Account the passwords must be stored in their Credential Manager.

This page has been automatically translated and may contain grammatical errors or inaccuracies